A valid variable name starts with a letter or underscore, followed by any number of letters, numbers, or underscores. As a regular expression, it would be expressed thus: '[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*'

Technically, you can get around this in two different ways - variable varaibles and the more complex notation with curly braces. He points to the compact function for proof that they're set.

I just came back home and saw a very recent commit to PHP's session management. It is another attempt to fix the session cookie attribute injection that the PHP developers already tried to fix in PHP 5.2.3 without giving any credits. [...] their new fix that consists of blacklisting a bunch of legal characters from the session id, will most probably result in hundreds or thousands of broken sites.

Stefan points out that the fix blocks several valid characters that sites could potentially use in their session IDs, and that with this new code in place, it could drastically effect those site's functionality.

As of the time of this post, however, it seems that the issue has been recognized and corrected so as not to cause the above mentioned issue in future updates.